1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
|
diff --git a/appveyor.yml b/appveyor.yml
index b19eb7a..7d04da9 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -10,7 +10,7 @@ clone_folder: c:\gopath\src\github.com\mholt\caddy
environment:
GOPATH: c:\gopath
-stack: go 1.11
+stack: go 1.12
install:
- set PATH=%GOPATH%\bin;%PATH%
diff --git a/caddyhttp/internalsrv/setup.go b/caddyhttp/internalsrv/setup.go
index 35c79d2..f70147a 100644
--- a/caddyhttp/internalsrv/setup.go
+++ b/caddyhttp/internalsrv/setup.go
@@ -33,7 +33,12 @@ func setup(c *caddy.Controller) error {
return err
}
- httpserver.GetConfig(c).AddMiddleware(func(next httpserver.Handler) httpserver.Handler {
+ // Append Internal paths to Caddy config HiddenFiles to ensure
+ // files do not appear in Browse
+ config := httpserver.GetConfig(c)
+ config.HiddenFiles = append(config.HiddenFiles, paths...)
+
+ config.AddMiddleware(func(next httpserver.Handler) httpserver.Handler {
return Internal{Next: next, Paths: paths}
})
diff --git a/caddyhttp/staticfiles/fileserver.go b/caddyhttp/staticfiles/fileserver.go
index 93a7c6d..0863ebe 100644
--- a/caddyhttp/staticfiles/fileserver.go
+++ b/caddyhttp/staticfiles/fileserver.go
@@ -53,7 +53,7 @@ type FileServer struct {
// ServeHTTP serves static files for r according to fs's configuration.
func (fs FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
- if r.Method != "GET" {
+ if r.Method != "GET" && r.Method != "HEAD" {
return http.StatusMethodNotAllowed, nil
}
return fs.serveFile(w, r)
diff --git a/caddytls/config.go b/caddytls/config.go
index 77d3795..939f3df 100644
--- a/caddytls/config.go
+++ b/caddytls/config.go
@@ -407,7 +407,7 @@ func SetDefaultTLSParams(config *Config) {
config.ProtocolMinVersion = tls.VersionTLS12
}
if config.ProtocolMaxVersion == 0 {
- config.ProtocolMaxVersion = tls.VersionTLS12
+ config.ProtocolMaxVersion = tls.VersionTLS13
}
// Prefer server cipher suites
@@ -430,6 +430,7 @@ var SupportedProtocols = map[string]uint16{
"tls1.0": tls.VersionTLS10,
"tls1.1": tls.VersionTLS11,
"tls1.2": tls.VersionTLS12,
+ "tls1.3": tls.VersionTLS13,
}
// GetSupportedProtocolName returns the protocol name
diff --git a/caddytls/selfsigned.go b/caddytls/selfsigned.go
index 367cd73..60d5345 100644
--- a/caddytls/selfsigned.go
+++ b/caddytls/selfsigned.go
@@ -62,13 +62,10 @@ func newSelfSignedCertificate(ssconfig selfSignedConfig) (tls.Certificate, error
if len(ssconfig.SAN) == 0 {
ssconfig.SAN = []string{""}
}
- var names []string
for _, san := range ssconfig.SAN {
if ip := net.ParseIP(san); ip != nil {
- names = append(names, strings.ToLower(ip.String()))
cert.IPAddresses = append(cert.IPAddresses, ip)
} else {
- names = append(names, strings.ToLower(san))
cert.DNSNames = append(cert.DNSNames, strings.ToLower(san))
}
}
diff --git a/caddytls/setup.go b/caddytls/setup.go
index 02a694b..798c743 100644
--- a/caddytls/setup.go
+++ b/caddytls/setup.go
@@ -34,6 +34,10 @@ import (
)
func init() {
+ // opt-in TLS 1.3 for Go1.12
+ // TODO: remove this line when Go1.13 is released.
+ os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1")
+
caddy.RegisterPlugin("tls", caddy.Plugin{Action: setupTLS})
// ensure the default Storage implementation is plugged in
diff --git a/caddytls/setup_test.go b/caddytls/setup_test.go
index e973eb2..3c5ded0 100644
--- a/caddytls/setup_test.go
+++ b/caddytls/setup_test.go
@@ -75,8 +75,8 @@ func TestSetupParseBasic(t *testing.T) {
if cfg.ProtocolMinVersion != tls.VersionTLS12 {
t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMinVersion, got %#v", cfg.ProtocolMinVersion)
}
- if cfg.ProtocolMaxVersion != tls.VersionTLS12 {
- t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMaxVersion, got %v", cfg.ProtocolMaxVersion)
+ if cfg.ProtocolMaxVersion != tls.VersionTLS13 {
+ t.Errorf("Expected 'tls1.3 (0x0304)' as ProtocolMaxVersion, got %#v", cfg.ProtocolMaxVersion)
}
// Cipher checks
diff --git a/vendor/github.com/mholt/certmagic/config.go b/vendor/github.com/mholt/certmagic/config.go
index 77072d4..a6528da 100644
--- a/vendor/github.com/mholt/certmagic/config.go
+++ b/vendor/github.com/mholt/certmagic/config.go
@@ -240,6 +240,10 @@ func NewWithCache(certCache *Cache, cfg Config) *Config {
// prepared to serve them up during TLS handshakes.
func (cfg *Config) Manage(domainNames []string) error {
for _, domainName := range domainNames {
+ if !HostQualifies(domainName) {
+ return fmt.Errorf("name does not qualify for automatic certificate management: %s", domainName)
+ }
+
// if on-demand is configured, simply whitelist this name
if cfg.OnDemand != nil {
if !cfg.OnDemand.whitelistContains(domainName) {
@@ -289,6 +293,9 @@ func (cfg *Config) Manage(domainNames []string) error {
// it does not load them into memory. If interactive is true,
// the user may be shown a prompt.
func (cfg *Config) ObtainCert(name string, interactive bool) error {
+ if cfg.storageHasCertResources(name) {
+ return nil
+ }
skip, err := cfg.preObtainOrRenewChecks(name, interactive)
if err != nil {
return err
@@ -296,16 +303,10 @@ func (cfg *Config) ObtainCert(name string, interactive bool) error {
if skip {
return nil
}
-
- if cfg.storageHasCertResources(name) {
- return nil
- }
-
client, err := cfg.newACMEClient(interactive)
if err != nil {
return err
}
-
return client.Obtain(name)
}
diff --git a/vendor/github.com/mholt/certmagic/user.go b/vendor/github.com/mholt/certmagic/user.go
index 9055a15..e5852d5 100644
--- a/vendor/github.com/mholt/certmagic/user.go
+++ b/vendor/github.com/mholt/certmagic/user.go
@@ -84,10 +84,11 @@ func (cfg *Config) getEmail(allowPrompts bool) error {
leEmail = Email
}
// Then try to get most recent user email from storage
+ var gotRecentEmail bool
if leEmail == "" {
- leEmail = cfg.mostRecentUserEmail()
+ leEmail, gotRecentEmail = cfg.mostRecentUserEmail()
}
- if leEmail == "" && allowPrompts {
+ if !gotRecentEmail && leEmail == "" && allowPrompts {
// Looks like there is no email address readily available,
// so we will have to ask the user if we can.
var err error
@@ -95,10 +96,14 @@ func (cfg *Config) getEmail(allowPrompts bool) error {
if err != nil {
return err
}
- cfg.Agreed = true
}
- // lower-casing the email is important for consistency
- cfg.Email = strings.ToLower(leEmail)
+
+ // save the email for later and ensure it is consistent
+ // for repeated use; then update cfg with our new defaults
+ Email = strings.TrimSpace(strings.ToLower(leEmail))
+ cfg.Email = Email
+ cfg.Agreed = Agreed
+
return nil
}
@@ -123,6 +128,11 @@ func (cfg *Config) getAgreementURL() (string, error) {
return dir.Meta.TermsOfService, nil
}
+// promptUserForEmail prompts the user for an email address
+// and returns the email address they entered (which could
+// be the empty string). If no error is returned, then Agreed
+// will also be set to true, since continuing through the
+// prompt signifies agreement.
func (cfg *Config) promptUserForEmail() (string, error) {
agreementURL, err := cfg.getAgreementURL()
if err != nil {
@@ -139,6 +149,7 @@ func (cfg *Config) promptUserForEmail() (string, error) {
return "", fmt.Errorf("reading email address: %v", err)
}
leEmail = strings.TrimSpace(leEmail)
+ Agreed = true
return leEmail, nil
}
@@ -234,10 +245,10 @@ func (cfg *Config) askUserAgreement(agreementURL string) bool {
// in s. Since this is part of a complex sequence to get a user
// account, errors here are discarded to simplify code flow in
// the caller, and errors are not important here anyway.
-func (cfg *Config) mostRecentUserEmail() string {
+func (cfg *Config) mostRecentUserEmail() (string, bool) {
userList, err := cfg.certCache.storage.List(StorageKeys.UsersPrefix(cfg.CA), false)
if err != nil || len(userList) == 0 {
- return ""
+ return "", false
}
sort.Slice(userList, func(i, j int) bool {
iInfo, _ := cfg.certCache.storage.Stat(userList[i])
@@ -246,9 +257,9 @@ func (cfg *Config) mostRecentUserEmail() string {
})
user, err := cfg.getUser(path.Base(userList[0]))
if err != nil {
- return ""
+ return "", false
}
- return user.Email
+ return user.Email, true
}
// agreementTestURL is set during tests to skip requiring
diff --git a/vendor/manifest b/vendor/manifest
index 0abcba8..d00333f 100644
--- a/vendor/manifest
+++ b/vendor/manifest
@@ -138,7 +138,7 @@
"importpath": "github.com/mholt/certmagic",
"repository": "https://github.com/mholt/certmagic",
"vcs": "git",
- "revision": "a7f18a937c080b88693cd4e14d48e42cc067b268",
+ "revision": "e3e89d1096d76d61680f8eeb8f67649baa6c54b8",
"branch": "master",
"notests": true
},
|